[PATCH 3/3] KEYS: Fix for erroneous trust of incorrectly signed X.509 certs
From: Mat MartineauArbitrary X.509 certificates without authority key identifiers (AKIs) can be added to "trusted" keyrings, including IMA or EVM certs loaded from the filesystem. Signature verification is currently bypassed for certs without AKIs. Trusted keys were recently refactored, and this bug is not present in 4.6. restrict_link_by_signature should return -ENOKEY (no matching parent certificate found) if the certificate being evaluated has no AKIs, instead of bypassing signature checks and returning 0 (new certificate accepted). Reported-by: Petko Manolov Signed-off-by: Mat Martineau Signed-off-by: David Howells --- crypto/asymmetric_keys/restrict.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index ac4bddf669de..19d1afb9890f 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -87,7 +87,7 @@ int restrict_link_by_signature(struct key *trust_keyring, sig = payload->data[asym_auth]; if (!sig->auth_ids[0] && !sig->auth_ids[1]) - return 0; + return -ENOKEY; if (ca_keyid && !asymmetric_key_id_partial(sig->auth_ids[1], ca_keyid)) return -EPERM; -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 1/3] PKCS#7: Fix panic when referring to the empty AKID when DEBUG defined
From: Lans ZhangThis fix resolves the following kernel panic if an empty or missing AuthorityKeyIdentifier is encountered and DEBUG is defined in pkcs7_verify.c. [ 459.041989] PKEY: <==public_key_verify_signature() = 0 [ 459.041993] PKCS7: Verified signature 1 [ 459.041995] PKCS7: ==> pkcs7_verify_sig_chain() [ 459.041999] PKCS7: verify Sample DB Certificate for SCP: 01 [ 459.042002] PKCS7: - issuer Sample KEK Certificate for SCP [ 459.042014] BUG: unable to handle kernel NULL pointer dereference at (null) [ 459.042135] IP: [] pkcs7_verify+0x72c/0x7f0 [ 459.042217] PGD 739e6067 PUD 77719067 PMD 0 [ 459.042286] Oops: [#1] PREEMPT SMP [ 459.042328] Modules linked in: [ 459.042368] CPU: 0 PID: 474 Comm: kexec Not tainted 4.7.0-rc7-WR8.0.0.0_standard+ #18 [ 459.042462] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 10/09/2014 [ 459.042586] task: 880073a5 ti: 8800738e8000 task.ti: 8800738e8000 [ 459.042675] RIP: 0010:[] [] pkcs7_verify+0x72c/0x7f0 [ 459.042784] RSP: 0018:8800738ebd58 EFLAGS: 00010246 [ 459.042845] RAX: RBX: 880076b7da80 RCX: 0006 [ 459.042929] RDX: 0001 RSI: 81c85001 RDI: 81ca00a9 [ 459.043014] RBP: 8800738ebd98 R08: 0400 R09: 8800788a304c [ 459.043098] R10: R11: 60ca R12: 8800769a2bc0 [ 459.043182] R13: 880077358300 R14: R15: 8800769a2dc0 [ 459.043268] FS: 7f24cc741700() GS:880074e0() knlGS: [ 459.043365] CS: 0010 DS: ES: CR0: 80050033 [ 459.043431] CR2: CR3: 73a36000 CR4: 001006f0 [ 459.043514] Stack: [ 459.043530] ffbf0020 31ff813e68b0 0002 [ 459.043644] 8800769a2bc0 007197b8 0002 [ 459.043756] 8800738ebdd8 81153fb1 [ 459.043869] Call Trace: [ 459.043898] [] verify_pkcs7_signature+0x61/0x140 [ 459.043974] [] verify_pefile_signature+0x2cb/0x830 [ 459.044052] [] ? verify_pefile_signature+0x830/0x830 [ 459.044134] [] bzImage64_verify_sig+0x15/0x20 [ 459.046332] [] arch_kexec_kernel_verify_sig+0x29/0x40 [ 459.048552] [] SyS_kexec_file_load+0x1f4/0x6c0 [ 459.050768] [] ? __do_page_fault+0x1b6/0x550 [ 459.052996] [] entry_SYSCALL_64_fastpath+0x17/0x93 [ 459.055242] Code: e8 0a d6 ff ff 85 c0 0f 88 7a fb ff ff 4d 39 fd 4d 89 7d 08 74 45 4d 89 fd e9 14 fe ff ff 4d 8b 76 08 31 c0 48 c7 c7 a9 00 ca 81 <41> 0f b7 36 49 8d 56 02 e8 d0 91 d6 ff 4d 8b 3c 24 4d 85 ff 0f [ 459.060535] RIP [] pkcs7_verify+0x72c/0x7f0 [ 459.063040] RSP [ 459.065456] CR2: [ 459.075998] ---[ end trace c15f0e897cda28dc ]--- Signed-off-by: Lans Zhang Signed-off-by: David Howells Cc: Dave Young Cc: Baoquan He Cc: Vivek Goyal cc: linux-crypto@vger.kernel.org cc: ke...@lists.infradead.org --- crypto/asymmetric_keys/pkcs7_verify.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c index 44b746e9df1b..2ffd69769466 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -227,7 +227,7 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, if (asymmetric_key_id_same(p->id, auth)) goto found_issuer_check_skid; } - } else { + } else if (sig->auth_ids[1]) { auth = sig->auth_ids[1]; pr_debug("- want %*phN\n", auth->len, auth->data); for (p = pkcs7->certs; p; p = p->next) { -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 2/3] pefile: Fix the failure of calculation for digest
From: Lans ZhangCommit e68503bd68 forgot to set digest_len and thus cause the following error reported by kexec when launching a crash kernel: kexec_file_load failed: Bad message Fixes: e68503bd68 (KEYS: Generalise system_verify_data() to provide access to internal content) Signed-off-by: Lans Zhang Tested-by: Dave Young Signed-off-by: David Howells Cc: Baoquan He Cc: Vivek Goyal cc: ke...@lists.infradead.org cc: linux-crypto@vger.kernel.org --- crypto/asymmetric_keys/mscode_parser.c |7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/crypto/asymmetric_keys/mscode_parser.c b/crypto/asymmetric_keys/mscode_parser.c index 6a76d5c70ef6..9492e1c22d38 100644 --- a/crypto/asymmetric_keys/mscode_parser.c +++ b/crypto/asymmetric_keys/mscode_parser.c @@ -124,5 +124,10 @@ int mscode_note_digest(void *context, size_t hdrlen, struct pefile_context *ctx = context; ctx->digest = kmemdup(value, vlen, GFP_KERNEL); - return ctx->digest ? 0 : -ENOMEM; + if (!ctx->digest) + return -ENOMEM; + + ctx->digest_len = vlen; + + return 0; } -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 0/3] KEYS: Miscellaneous fixes
Hi James, Here are three miscellaneous fixes: (1) Fix a panic in some debugging code in PKCS#7. This can only happen by explicitly inserting a #define DEBUG into the code. (2) Fix the calculation of the digest length in the PE file parser. This causes a failure where there should be a success. (3) Fix the case where an X.509 cert can be added as an asymmetric key to a trusted keyring with no trust restriction if no AKID is supplied. Bugs (1) and (2) aren't particularly problematic, but (3) allows a security check to be bypassed. Bug (3) is added since the 4.6 kernel. The patches can be found here also: http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-fixes at tag: keys-fixes-20160718 David --- Lans Zhang (2): PKCS#7: Fix panic when referring to the empty AKID when DEBUG defined pefile: Fix the failure of calculation for digest Mat Martineau (1): KEYS: Fix for erroneous trust of incorrectly signed X.509 certs crypto/asymmetric_keys/mscode_parser.c |7 ++- crypto/asymmetric_keys/pkcs7_verify.c |2 +- crypto/asymmetric_keys/restrict.c |2 +- 3 files changed, 8 insertions(+), 3 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [V2][PATCH 1/2] PKCS#7: Fix kernel panic when referring to the empty AuthorityKeyIdentifier
Lans Zhangwrote: > Let me know if I need to add this comment to commit header. I've done that. David -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html